Now, as you know the -o option pushes the data down to /dev/fwdata. Well, thequestion is how do I tell what rule caused the packet to be dropped touserspace? I don't need to know the ipchain name or such, but whether it iscoming INTO or going OUT OF the system. The box may be a router, so checkingthe source/destination vs the machine's IP isn't going to work.

Is there anything I can look at inside the iphdr or tcphdr of a packet thatwill tell me which direction it's moving?

[ more details ]In reality what I am doing is writing a stateful/heuristic packet filter withipchains. I thought it would be neat that instead of putting a timeout valueon holes opened up, I could examine the incoming packets (that match mydynamically added ACCEPT rules) and use _that_ flow to keep-alive the acceptrule. (SPF 1.1, which inspired me, watches only outgoing data to determine ifa port needs to be kept open. A unidirectional data flow with UDP, forexample, would get shutdown with that method after its timeout as the insidebox isn't sending back data to keep spf aware that the port needs to remainopen).